Best practices to mitigate SQL injections on forms

Question

Hi, 
 Are there any best practices when creating forms to mitigate SQL injections? 
 We can do a validation on text fields to make sure certain character strings are not present but I'm not sure if that is a best practice or does the Appian cloud environment have application firewalls to mitigate this kind of thing from happening. 
 Any input is appreciated. 
 Thanks, 
 Gary

Parmida Borhani · Accepted Answer

SQL injection protection is more about how you interact with the database than with how you collect data in a form. Whenever you interact with a database using Appian's out-of-the-box database functionality (like a!queryentity(), query rules, the write to data store smart service, etc), Appian uses prepared statements and parameterized queries when it actually talks to the database. This is the standard way to protect against SQL injection and is recommended by OWASP: www.owasp.org/.../SQL_Injection_Prevention_Cheat_Sheet . 
 
Long story short, if the way you interact with the database is solely through out-of-the-box functionality then you don't need to worry about adding input validation to all of your forms as the platform will handle the SQL injection protection for you. 
 
If you're passing the user-entered data through a plug-in or over a web service or through some other mechanism that does not use Appian's out-of-the-box database interactions, SQL injection might be a concern depending on how that plug-in or service is implemented.

Mike Schmitt · Answer

As far as I've ever seen, any on-form input text is sanitized internally such that SQL injection shouldn't be easily possible - though I'll admit I haven't tried very hard to test this. Have you observed evidence to the contrary?

mukeshm · Answer

I also, copy Mike. We used to have this issue in non-appian website as mostly Java script is there. In apian forms, sql statement does not execute, as far as I aware..

Best practices to mitigate SQL injections on forms

Top Replies